For directed deauthentications,​ aireplay-ng sends out a total of 128 packets for each deauth you specify. ​ 64 packets are sent to the AP itself and 64 packets are sent to the client.

+

+

Here is what the "[ 61|63 ACKs]" means:

+

+

* [ ACKs received from the client | ACKs received from the AP ]

+

* You will notice that the number in the example above is lower then 64 which is the number of packets sent. It is not unusual to lose a few packets. ​ Conversely, if the client was actively communicating at the time, the counts could be greater then 64.

+

* How do you use this information? ​ This gives you a good indication if the client and or AP heard the packets you sent. A zero value definitely tells the client and/or AP did not hear your packets. ​ Very low values likely indicate you are quite a distance and the signal strength is poor.

After sending the five batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.

+

After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.

If the driver is [[http://​www.linux-wlan.com/​linux-wlan|wlan-ng]],​ you should run the [[airmon-ng]] script (unless you know what to type) otherwise the card won't be correctly setup for injection.

If the driver is [[http://​www.linux-wlan.com/​linux-wlan|wlan-ng]],​ you should run the [[airmon-ng]] script (unless you know what to type) otherwise the card won't be correctly setup for injection.

-

===== Mass denial-of-service with a RT2500 ​card =====

+

===== Usage Tips =====

+

+

It is usually more effective to target a specific station using the -c parameter.

+

+

The deauthentication packets are sent directly from your PC to the clients. ​ So you must be physically close enough to the clients for your wireless card transmissions to reach them.

+

+

+

===== Usage Troubleshooting =====

+

+

===== Why does deauthentication not work? =====

+

+

There can be several reasons and one or more can affect you:

+

+

* You are physically too far away from the client(s). ​ You need enough transmit power for the packets to reach and be heard by the clients. ​ If you do a full packet capture, each packet sent to the client should result in an "​ack"​ packet back. This means the client heard the packet. ​ If there is no "​ack"​ then likely it did not receive the packet.

+

* Wireless cards work in particular modes such b, g, n and so on. If your card is in a different mode then the client card there is good chance that the client will not be able to correctly receive your transmission. ​ See the previous item for confirming the client received the packet.

+

* Some clients ignore broadcast deauthentications. ​ If this is the case, you will need to send a deauthentication directed at the particular client.

+

* Clients may reconnect too fast for you to see that they had been disconnected. ​ If you do a full packet capture, you will be able to look for the reassociation packets in the capture to confirm deauthentication worked.

+

+

+

===== General ​=====

-

airmon-ng start ra0

+

See the general aireplay-ng troubleshooting ideas: [[aireplay-ng#​usage_troubleshooting|aireplay-ng usage troubleshooting]].

-

​aireplay-ng -0 0 -a 00:​13:​10:​30:​24:​9C ra0

+

-

With parameter 0, this attack will loop forever sending deauthentication packets to the broadcast address, thus preventing clients from staying connected. Sadly, the most up-to-date drivers and firmwares ignore deauthentications sent to broadcasts, so you need to send them directly to them using the -c option as described above.